Right now "git hash-object" will do some basic sanity checks of the
input using the usual parser code. This series teaches it to use the
fsck code instead, which should catch more things. See patch 6 for some
discussion of the implications.
The reason this is marked as an RFC is that at the end, compiling with
SANITIZE=address will provoke a failure in t3800. The issue is that
fsck_tag_standalone(), when fed a buffer/size combo, will look for a NUL
at the end of the headers, which might be buffer[size]. This is usually
OK for objects we've loaded from the odb, because we intentionally stick
an extra NUL at the end for safety. But here index_mem() may get an
arbitrary buffer.
I'm not sure yet of the right path forward. It's not too hard to add an
extra NUL in most cases, but one code path will mmap a file on disk. And
sticking a NUL there is hard (we already went down that road trying to
avoid REG_STARTEND for grep, and there wasn't a good solution).
The other option is having the fsck code avoid looking past the size it
was given. I think the intent is that this should work, from commits
like 4d0d89755e (Make sure fsck_commit_buffer() does not run out of the
buffer, 2014-09-11). We do use skip_prefix() and parse_oid_hex(), which
won't respect the size, but I think[1] that's OK because we'll have
parsed up to the end-of-header beforehand (and those functions would
never match past there).
Which would mean that 9a1a3a4d4c (mktag: allow omitting the header/body
\n separator, 2021-01-05) and acf9de4c94 (mktag: use fsck instead of
custom verify_tag(), 2021-01-05) were buggy, and we can just fix them.
[1] But I said "I think" above because it can get pretty subtle. There's
some more discussion in this thread:
https://lore.kernel.org/git/20150625155128.C3E9738005C@xxxxxxxxxxxxxx/
but I haven't yet convinced myself it's safe. This is exactly the
kind of analysis I wish I had the power to nerd-snipe René into.
Anyway, here are the patches in the meantime. I do think this is a good
direction overall, modulo addressing the NUL-terminator question.
[1/6]: t1007: modernize malformed object tests
[2/6]: t1006: stop using 0-padded timestamps
[3/6]: t7030: stop using invalid tag name
[4/6]: t: use hash-object --literally when created malformed objects
[5/6]: fsck: provide a function to fsck buffer without object struct
[6/6]: hash-object: use fsck for object checks
fsck.c | 29 ++++++++++-------
fsck.h | 8 +++++
object-file.c | 55 +++++++++++++-------------------
t/t1006-cat-file.sh | 6 ++--
t/t1007-hash-object.sh | 29 +++++++++++------
t/t1450-fsck.sh | 28 ++++++++--------
t/t4054-diff-bogus-tree.sh | 2 +-
t/t4058-diff-duplicates.sh | 2 +-
t/t4212-log-corrupt.sh | 4 +--
t/t5302-pack-index.sh | 2 +-
t/t5504-fetch-receive-strict.sh | 2 +-
t/t5702-protocol-v2.sh | 2 +-
t/t6300-for-each-ref.sh | 2 +-
t/t7030-verify-tag.sh | 2 +-
t/t7031-verify-tag-signed-ssh.sh | 2 +-
t/t7509-commit-authorship.sh | 2 +-
t/t7510-signed-commit.sh | 2 +-
t/t7528-signed-commit-ssh.sh | 2 +-
t/t8003-blame-corner-cases.sh | 2 +-
t/t9350-fast-export.sh | 2 +-
20 files changed, 101 insertions(+), 84 deletions(-)
-Peff
